[WEB SECURITY] client-side "transaction monitoring" beacons

Arian J. Evans arian.evans at anachronic.com
Tue May 27 21:13:00 EDT 2008


I'm not sure I understand what you are getting at, but...

I've already seen code that uses these sorts of tricks
for browser identification. Forks entire presented
code after initial identification tree.

I haven't seen that sort of user-agent code in quite
a few years though. The average browsers in use
aren't as horrendously different as they were circa
1998 or 1999.

Did I totally miss your point?


-- 
-- 
Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.



On Tue, May 27, 2008 at 6:02 PM, Hoffman, Billy <billy.hoffman at hp.com> wrote:
> What interesting to me is if people (mistakenly) start to use this for
> things other than statistics, analytics, or a poor-mans OSS lojack. What
> about port knocking? Browser identification? Spider-driven or human-driven
> CAPTCHA?
>
>
>
> From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com]
> Sent: Tuesday, May 27, 2008 7:14 PM
> To: Simone Onofri; Arian J. Evans
> Cc: Licky Lindsay; websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] client-side "transaction monitoring" beacons
>
>
>
> There's lots of ways to do it, and there's lots of ways that the people on
> this list can bypass it. Fortunately for whoever "them" is, there's not
> enough of us for them to really care.
>
>
>
> Arshan
>
>
>
> ________________________________
>
> From: Simone Onofri [mailto:simone.onofri at gmail.com]
> Sent: Tue 5/27/2008 4:51 PM
> To: Arian J. Evans
> Cc: Licky Lindsay; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] client-side "transaction monitoring" beacons
>
> On Tue, May 27, 2008 at 8:28 PM, Arian J. Evans
> <arian.evans at anachronic.com> wrote:
>> This has been going on for + 10 years.
>>
>> A great example is a lot of open source portal or plugin-projects
>> (like many of the PHP and Python photo-gallery software packages)
>> suck in a clear gif or some other benign content. They often put
>> this tag in an obscure header or footer, or include. Something
>> that might not be easily flagged and refactored in casual
>> review of source.
>>
>> This is so they can track who installs, uses, or in some cases
>> steals their software.
>>
>> It's a pretty basic, and very old, tracking technique.
>
> Thinking this there are more places to insert it:
>
> - Server-side code (PHP with fopen, curl...)
> - Client-side code (XHTML with img, script, JS or CSS)
>
> also SWFs may contain remote calls
>
> (there are others?)
>
> If You're checking tracking systems take care for encoded code (in
> particular server side or JS) and for client-side You may check it
> using plugins like Firebug (Net tab) or Live HTTP headers.
>
> Cheers,
>
> Simone
>
>
>
>>
>> --
>> --
>> Arian J. Evans.
>>
>> I spend most of my money on motorcycles, mistresses, and martinis. The
>> rest of it I squander.
>>
>>
>>
>> On Tue, May 27, 2008 at 5:49 AM, Licky Lindsay <noontar at gmail.com> wrote:
>>> Anyone familiar with these things?
>>>
>>> The basic idea is to hide a zero-pixel image in the customer's website
>>> with the src attribute pointing at the the security vendor's site.
>>> This causes end-user's IP address and probably other info (as
>>> collected by the javascript or passed on the URL by the customer site)
>>> to be sent to the security vendor. There they can be logged analyzed
>>> for odd behavior.
>>>
>>> One example of vendors selling these things is RSA.  There are others.
>>>
>>> Now, am I crazy, or is this emperor completely nude? This solution
>>> trusts the *client* to send this info. All it takes it for the .. uhm,
>>> "hacker" (it's hard to apply that term for such a trivial exercise) to
>>> configure his browser to block images from domains other than the web
>>> page currently being viewed, and voila he's invisible to the
>>> "transaction monitoring". You don't even have to use any plugins or
>>> proxies!
>>>
>>> To be fair to the vendors, I think these are sold as starter options,
>>> quick ways to get something at all running, before moving up to more
>>> serious forms of integration that involve direct server-to-server
>>> calls. But to my mind that only makes it slightly better, if at all.
>>>
>>> Do people buy this stuff? Why?
>>>
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
>
>
> --
> Simone Onofri
> http://www.siatec.net/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list